b'\x0c1\n\x0cevery government procurement system in real time and serves as the central repository of\nstatistical information on federal contracting, containing detailed information on contract actions\nof more than $2,500. In May 2003, GSA awarded Global Computer Enterprises, Inc. a $24\nmillion seven-year fixed price contract with performance incentives to develop and maintain a\nnew Federal acquisition database for the FPDS-NG system. In June 2004, responsibility for\nmanaging the FPDS-NG was transferred within GSA from the Office of Governmentwide Policy\n(OGP) to the OCAO.\n\nObjectives, Scope, and Methodology\n\nOur audit objectives were to determine whether GSA is effectively managing the development\nand implementation of the FPDS-NG to: (1) improve system functionality and usability; (2)\nprovide necessary system security controls; (3) ensure timely and accurate procurement data; and\n(4) meet customers\' reporting requirements at a reasonable cost. If not, what changes are needed\nto ensure the success of the FPDS-NG system?\n\nOur review assessed FPDS-NG data accuracy and completeness, project management, reporting\navailability, and system controls. To perform our review of the FPDS-NG system, we met with\nappropriate officials within OGP and the OCAO. To review data accuracy and completeness, we\nreviewed a sample of GSA contracts from the FPDS-NG to compare system data to the official\ncontract files. We also interviewed system users within OGP, the Federal Supply Service (FSS),\nthe Public Buildings Service (PBS), and the Federal Technology Service (FTS).1 We met with\nGSA system users from FTS Central Office, Region 1 and Region 11; PBS Central Office,\nRegion 1 and Region 11; and FSS Central Office. We also attended Change Control Board\n(CCB) meetings and monitored CCB activities pertaining to FPDS-NG. Our review did not\ninclude a detailed assessment of data submissions from other Federal agencies.\n\nTo analyze system functionality and project management, we interviewed contract personnel\nincluding the project manager, system architect and developers, and security officials. To gain\nan understanding of the FPDS-NG contract, we met with the contracting officer and the\ncontracting officer\xe2\x80\x99s technical representative. We analyzed the FPDS-NG contract No.\nGS00M03PDC0004 including system requirements established with the contract and\ncorresponding modifications to the contract.\n\nSystem security controls were assessed in conjunction with our annual FY 2004 FISMA review\nand reported in our September 27, 2004 report. Detailed findings for vulnerability scan results\nand specific FISMA control weaknesses for the FPDS-NG were previously provided in the FY\n2004 Office of Inspector General Information Security Review of The Federal Procurement Data\nSystem - Next Generation, Report Number A040179/O/T/F05013, January 11, 2005, to the GSA\nChief Information Officer (CIO) and FPDS-NG management. In conjunction with the FISMA\nreview, we evaluated the FPDS-NG risk assessment, security plan, system testing and evaluation\nresults, certification and accreditation letters, contingency plan, and plan of action and\nmilestones. We reviewed GSA\xe2\x80\x99s agency-wide Information Technology (IT) Security Policy and\n\n\n1\n A pending GSA reorganization established the new Federal Acquisition Service (FAS), which consolidated FSS\nand FTS.\n\n                                                      2\n\x0cprocedures and guidelines including GSA Order CIO Handbook 2100.1A2, GSA Information\nTechnology (IT) Security Policy, January 13, 2003; GSA Order CPO 1878.2, Conducting\nPrivacy Impact Assessments (PIAs) in GSA, May 28, 2004; and GSA CIO-IT Security-02-21 IT\nSecurity Procedural Guide, Linux Red Hat Hardening, August 30, 2002. We also relied on\napplicable regulations and policies to assess FPDS-NG, including: Office of Management and\nBudget (OMB) Circular No. A-130 Revised, Appendix III, Security of Federal Automated\nInformation Resources, November 2000; Federal Information Security Management Act, Title\nIII, December 2002; Federal Acquisition Regulation, Subpart 4.6-Contract Reporting, April 22,\n2004; and General Accounting Office (GAO)3 Letter, Reliability of Federal Procurement Data,\nDecember 30, 2003. To obtain information on commonly accepted security principles, we relied\non the National Institute of Standards and Technology Special Publication 800 series security\nguidelines.\n\nWe performed our audit review work in calendar year 2004 and monitored FPDS-NG CCB\nactivities through December 2005. Audit work was performed in accordance with generally\naccepted government auditing standards.\n\nResults of Audit\n\nThe FPDS-NG is critical to Federal efforts to improve the collection and reporting of accurate\nand complete procurement data. However, certain contract and system requirements have not\nbeen addressed due to insufficient contract monitoring throughout the development and\nimplementation of the system. Further, some key reports cannot yet be provided for system\nusers. Improved oversight is an important step toward ensuring that contract and system\nrequirements for FPDS-NG have been followed and implemented. Further, maintaining\ncomplete and accurate data within FPDS-NG is critical for producing necessary procurement\nreports. Our review of a selected sample of GSA\xe2\x80\x99s contracts found discrepancies for some data\nelements in the system and raises concerns about the reliability of data already contained in the\nnew system. System-specific security risks, including: the need to integrate security costs into\nthe life cycle of the system, background checks for contractors supporting FPDS-NG, and the\nneed to develop a more comprehensive approach to monitoring risks with the system need to be\naddressed. Strengthening management, operational, and technical controls for FPDS-NG will\npromote user satisfaction and long-term success for this important system. Another important\nissue is meeting customers\' reporting requirements at a reasonable cost. At this time, FPDS-NG\nstandard reports and ad hoc reports are free and organizations or citizens who want to access the\nraw data within the system are charged a one-time fee of $2,500.\n\nImprovements Needed For Communicating Contract and System Requirements\n\nRequirements for system security and functionality were not always effectively communicated\nby GSA to the FPDS-NG contractor. An operational system was to be provided by the\ncontractor on October 1, 2003, with all remaining development services to be provided no later\nthan January 23, 2004. However, an inadequate level of communication between GSA and the\ncontractor has resulted in specific system contract requirements not being available and led to\n\n2\n    CIO Handbook 2100.1A, January 2003, has been replaced by CIO Handbook 2100.1 B, November 5, 2004.\n3\n    The GAO\'s legal name was changed to the Government Accountability Office on July 7, 2004.\n\n                                                     3\n\x0cproblems with the system. For instance, the FPDS-NG contract specifies a list of 33 sample\nreports be developed for the system. However, one report named \xe2\x80\x9cTop 100 Contracts,\xe2\x80\x9d was not\nprovided to the contractor as stated in the contract. The \xe2\x80\x9cTop 100 Contracts\xe2\x80\x9d report is\ncategorized as a General Summary Report which displays the largest transaction dollar actions in\ndescending order for a specified award date period, with agency and contract information, dollar\namounts, and contractor name. Each Contract Number (and Order Number, if present) should\nlink to the Contract Lifecycle Report. Further, while the contractor received a financial incentive\nfor delivering the system on October 1, 2003, system functionality required by the contract, such\nas the 29 validation rules required by the Department of Defense (DoD), were not completed on\nthe delivery and acceptance of the system. These validation rules were to be completed within\n14 calendar days after GSA delivered DoD clarifications. Due to the missing components, the\nincentive amount was reduced from $393,369 to $363,000 through an agreement between GSA\nand the contractor. At the time of our 2004 FISMA review, the contractor had also not yet been\nprovided with all applicable GSA security policies and procedures needed for FPDS-NG\xe2\x80\x99s\ndevelopment. While GSA officials did not communicate these contract requirements to the\ncontractor, no attempts were made by the contractor to request the necessary policies and\nprocedures from GSA. Although the FPDS-NG contract requires system developers to follow\nthe GSA IT Security Policy, the system was not in compliance with GSA security policy. Such\nconditions indicate a need to improve the process for conveying information between GSA and\nthe contractor to better ensure that system requirements are effectively communicated and met\nwith the new system.\n\nDiscrepancies Found in FPDS-NG Data Elements\n\nOur analysis of 39 GSA contracts, including a comparison of migrated FY 2003 and FY 2004\ndata to actual contract files maintained by authorized contracting personnel, found discrepancies\nbetween FPDS-NG data elements and required formats for the system. These discrepancies have\ncaused problems in finding historical procurement data migrated from FPDS into FPDS-NG.\nInstances of incomplete data included contractor mailing address and socio economic data for\nidentifying veteran owned, women owned, minority owned businesses, etc. The following table\nhighlights specific discrepancies we identified for the system\xe2\x80\x99s data elements:\n\n     Table 1: Discrepancies Between FPDS-NG Data Elements and the FAR Requirements4\n                Data Element                                            Discrepancies\n      Procurement Instrument Identifier\n      (PIID)                                  Prefix in front of award ID\n      Dates                                   Date in the middle column systemically assigned "15"\n      Contractor Information                  Incomplete*\n      Socio Economic Data                     Incomplete*\n      * Data in the Central Contractor Registration (CCR) was either incomplete or the data was not fully\n      populated in FPDS-NG.\n\n\n\n\n4\n    Federal Acquisition Regulation (FAR), section 4.6 - Contract Reporting.\n\n\n\n\n                                                           4\n\x0cSuch formatting discrepancies have led to historical procurement data contained in FPDS that\ncould not be found in FPDS-NG and PIID problems, such as structure and changes, with the\nsystem. GSA users of the system have encountered difficulties with contracts migrated from the\nold system to FPDS-NG in three main areas: (1) updating socio-economic data; (2) posting\ncontract modifications within FPDS-NG; and (3) the PIID number structure/format change.\nBecause of discrepancies in the FPDS-NG data elements, users could not readily retrieve\ninformation from the system and other time-consuming measures were sometimes necessary to\nobtain the needed information.\n\nGSA system users we spoke to also revealed that some base contracts and related modifications\nthat had been previously recorded in the old system could not be located in FPDS-NG, forcing\nthem to manually recreate the missing base contract and related modifications to accurately\nreflect the dollar amounts obligated and/or de-obligated. Other Federal agencies including: the\nDepartment of Education, Department of Housing and Urban Development, and Environmental\nProtection Agency, have encountered problems locating data and discrepancies between the old\nsystem and the new system. Problems have also been identified with the accuracy of Central\nContractor Registration (CCR) data within FPDS-NG and voided contracts in FPDS-NG that\nhave not been deleted. Users have also reported problems in locating the Data Universal\nNumbering System (DUNS) numbers in the CCR. The CCR collects, validates, stores and\ndisseminates data in support of agency acquisition missions and provides the primary vendor\ndatabase for the Federal Government through FPDS-NG. As GSA continues to manage the\nimplementation of FPDS-NG, project management and contract personnel need to take steps to\nresolve data element discrepancies that could hinder effective use of the system.\n\nSystem Security Control Weaknesses Require Attention\n\nSecurity weaknesses identified during the FY 2004 Federal Information Security Management\nAct (FISMA) review raised questions regarding the adequacy of the system Certification and\nAccreditation (C&A) for FPDS-NG controls. We found that GSA IT security officials, including\nthe Information System Security Manager (ISSM) and the Information System Security Officer\n(ISSO), had not adequately overseen the security practices of the contractor supporting FPDS-\nNG, and the contractor was not complying with the GSA IT Security Policy as required by the\nFPDS-NG contract. While a system security C&A was issued for the system in March 2004, we\nidentified several areas of risk that require management attention in order to meet FISMA\nrequirements and implement GSA\xe2\x80\x99s IT Security Program guidance for FPDS-NG. Specifically,\nthe system C&A documentation did not include critical steps necessary to comprehensively\naddress risks as recommended by the National Institute of Standards and Technology and the\nGSA Chief Information Officer. The system risk assessment did not include a business impact\nanalysis as required and system technical security guidelines required by GSA\xe2\x80\x99s CIO had not\nbeen applied to the system. Sentence is redacted pursuant to Exemption 2 of the Freedom of\nInformation Act (FOIA), 5 United States Code (U.S.C.) \xc2\xa7 552(b)(2). Further, the system-level\nPlan of Action and Milestones (POA&M) for FPDS-NG was not being utilized to mitigate\nknown security weaknesses with the system as required by FISMA. Specifically, security\nweaknesses, identified through the C&A process, were not being tracked in the system level\nPOA&M as required. As such, it was unclear as to how risk was being managed for the system.\n\n\n\n                                              5\n\x0cSecurity costs were also not integrated into the life cycle of the system as required5 and the\nFPDS-NG contractor was not reporting potential security incidents to the Senior Agency\nInformation Security Officer for GSA. We also observed that contractors supporting system\noperations were granted access to the hardware and operating system software before required\nbackground checks had been completed. Compensating controls to mitigate associated risks,\nsuch as criminal record checks, greater oversight of contractors, monitoring of detailed audits\nlogs, and obtaining the contractor\xe2\x80\x99s internal background investigation and employment history\nrecord, were not in place. Due to the critical nature of this important government-wide system,\nGSA should take additional steps to ensure weaknesses with FPDS-NG managerial, operational,\nand technical controls are addressed and corrective actions are implemented.\n\nRecommendations\n\nWe recommend that the GSA\xe2\x80\x99s CAO work with the appropriate FPDS-NG management officials\nand contract personnel to improve the effectiveness of project management by:\n\n1. More closely overseeing that contract and system requirements are effectively documented\n   and communicated in a timely manner to the contractor.\n\n2. Resolving all data element discrepancies and data migration issues.\n\n3. Ensuring that system security weaknesses and corrective actions are continually addressed.\n\n\nManagement Response\n\nWe met with the Office of the Chief Acquisition Officer (OCAO) to discuss the results of our\nreview and to confirm our audit findings on January 25, 2006. This report reflects management\ncomments provided on two separate discussion draft reports that were developed since May 11,\n2005.     While management has generally concurred with the findings and the three\nrecommendations as presented in the report, written comments provided by the CAO highlight\nspecific actions underway aimed at addressing the identified areas of risk in the report since the\ncompletion of our FPDS-NG review last year. Planned or ongoing management actions\nidentified by the CAO include: (1) improving communication and documentation of efforts with\nthe contractor, (2) conducting routine bi-weekly meetings with the contractor, (3) recognizing\nthat data quality is extremely important to the success of FPDS-NG, therefore it is critical to\nmine the data and produce useful reports, (4) continuing to improve security controls including\non-going scans of the system to address vulnerabilities, and (5) enhancing system reporting\ncapabilities. While these actions should improve risk areas in the report, we feel the actions\nidentified by the OCAO support the findings and recommendations documented during the time\nof our review.\n\nA copy of the management comments is provided in its entirety in Appendix A.\n\n\n\n5\n    OMB Circular A-11, Preparation, Submission and Execution of the Budget, Section 53 (Revised 07/16/2004).\n\n                                                        6\n\x0cInternal Controls\n\nAs discussed in the Objectives, Scope, and Methodology section of this report, the objectives of\nour review were to determine whether GSA is effectively managing the development and\nimplementation of FPDS-NG to: (1) improve system functionality and usability; (2) provide\nnecessary system security controls; (3) ensure timely and accurate procurement data; and (4)\nmeet customers\xe2\x80\x99 reporting requirements at a reasonable cost. We analyzed the accuracy and\ncompleteness of the system data, project management, functionality, and controls. The Results\nof Audit and Recommendations sections of this report identify the need to strengthen specific\nmanagerial, operational, and technical controls for FPDS-NG. The scope of our audit did not\ninclude a detailed analysis of all data within FPDS-NG, nor did we complete a detailed review of\ncontractual practices used for the system.\n\n\n\n\n                                               7\n\x0c  REVIEW OF THE FEDERAL PROCUREMENT\nDATA SYSTEM \xe2\x80\x93 NEXT GENERATION (FPDS-NG)\n    REPORT NUMBER A040127/O/T/F06016\n\n    CAO RESPONSE TO DRAFT REPORT\n\n\n\n\n           A-1\n\x0cA-2\n\x0cA-3\n\x0cA-4\n\x0cA-5\n\x0cA-6\n\x0cA-7\n\x0c                       REVIEW OF THE FEDERAL PROCUREMENT\n                     DATA SYSTEM \xe2\x80\x93 NEXT GENERATION (FPDS-NG)\n                         REPORT NUMBER A040127/O/T/F06016\n\n                                  REPORT DISTRIBUTION\n\n                                                                   Copies\n\nChief Acquisition Officer (V)                                        3\n\nDeputy Chief Acquisition Officer (VA)                                1\n\nOffice of Acquisition Systems (VS)                                   2\n\nActing Commissioner, Federal Acquisition Service (FAS)               1\n\nCommissioner, Public Buildings Service, (P)                          1\n\nChief Information Officer (I)                                        2\n\nAudit Follow-up and Evaluation Branch (BECA)                         1\n\nAssistant Inspector General for Auditing (JA and JAO)                2\n\nAdministration and Data Systems Staff (JAS)                          1\n\nAssistant Inspector General for Investigations (JI)                  1\n\nRegional Inspector General for Investigations (JI-W)                 1\n\nDeputy Assistant Inspector General for Acquisition Audits (JA-A)     1\n\n\n\n\n                                      B-1\n\x0c'